Sadly, our company requires us to run some Antivirus software on our work laptops. For Linuxes, this is Sophos. It seems that Sophos isn’t packaged for NixOS, which I’d sort of expect because it’s unfree, and to be frank, who would ever need it.
So I hate to ask, but: Can I somehow install it?
“Anti-virus” software is basically a rootkit, because it has to intercept every file access, which requires a kernel module. It’s more than likely that Sophos will require that too. Unfortunately, you have to buy a license before you can even download it, so I can’t check.
Maybe you can talk to the person in charge and ask whether ClamAV will do as well, because there is already a module available for NixOS.
On a personal note, this seems very pointless to me. Why does your company allow you to run your own operating system in the first place? Also using an anti-virus on Linux is really unnecessary. The existence of Android has proven that the Unix user separation is a sufficiently powerful concept to prevent unauthorized access to private data (one app cannot read another app’s data). If Unix users weren’t secure enough we’d hear about stolen credit card info on smartphones every day.
Maybe you can talk to the person in charge and ask whether ClamAV will do as well, because there is already a module available for NixOS.
The irony is that ClamAV doesn’t count because it’s free.
On a personal note, this seems very pointless to me.
I agree. Unfortunately, this is an irrational decision and compromise on a management level above me, so my options are pretty limited. Basically, I can only comply, but I’m still allowed to install the software myself.
Never underestimate the irrationality of corporate IT.
I did some consulting work for a Fortune 500 company some years ago that had a similar policy. You could BYOD running whatever you wanted OS but it had to have the same AV that they were using. My solution: run it in a VM. As in, have a Windows VM that ran MS Office and their AV while all the work happened directly on Linux. I cleared it with their compliance guy - he was cool with it as long as we could honestly check the boxes.
Hello from a person that has a running NessusAgent on their NixOS system.
Honestly, that Agent is just scanning its own little sandbox:
Security Manager: As long as that thing says there are no issues, it’s fine.
I am new here and to NixOS and I am attempting to do what you have done (getting a successful scan via Nessus. How did you do that? Can you point me in the right direction? I am not using the agent.
Last time I worked on that, Nessus didn’t support NixOS. If that hasn’t changed, all you can do is lock it in a sandbox, e.g. with buildFHSEnv.
I did that for the agent. You’re on your own without the agent.